# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Gitlab::Middleware::SameSiteCookies do
using RSpec::Parameterized::TableSyntax
include Rack::Test::Methods
let(:user_agent) { nil }
let(:mock_app) do
Class.new do
attr_reader :cookies, :user_agent
def initialize(cookies)
@cookies = cookies
end
def call(env)
[
200,
{ 'Set-Cookie' => cookies },
['OK']
]
end
end
end
let(:app) { mock_app.new(cookies) }
subject do
described_class.new(app)
end
describe '#call' do
let(:request) { Rack::MockRequest.new(subject) }
def do_request
request.post('/some/path', { 'HTTP_USER_AGENT' => user_agent }.compact )
end
context 'without SSL enabled' do
before do
allow(Gitlab.config.gitlab).to receive(:https).and_return(false)
end
context 'with cookie' do
let(:cookies) { "thiscookie=12345" }
it 'does not add headers to cookies' do
response = do_request
expect(response['Set-Cookie']).to eq(cookies)
end
end
end
context 'with SSL enabled' do
before do
allow(Gitlab.config.gitlab).to receive(:https).and_return(true)
end
context 'with no cookies' do
let(:cookies) { "" }
it 'does not add headers' do
response = do_request
expect(response['Set-Cookie']).to eq("")
end
end
context 'with different browsers' do
where(:description, :user_agent, :expected) do
"iOS 12" | "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1" | false
"macOS 10.14 + Safari" | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15" | false
"macOS 10.14 + Opera" | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36 OPR/47.0.2631.55" | false
"macOS 10.14 + Chrome v80" | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36" | true
"Chrome v41" | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36" | true
"Chrome v50" | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2348.1 Safari/537.36" | true
"Chrome v51" | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2718.15 Safari/537.36" | false
"Chrome v62" | "Mozilla/5.0 (Macintosh; Intel NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36" | false
"Chrome v66" | "Mozilla/5.0 (Linux; Android 4.4.2; Avvio_793 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.126 Mobile Safari/537.36" | false
"Chrome v67" | "Mozilla/5.0 (Linux; Android 7.1.1; SM-J510F Build/NMF26X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3371.0 Mobile Safari/537.36" | true
"Chrome v85" | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36" | true
"Chromium v66" | "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/66.0.3359.181 HeadlessChrome/66.0.3359.181 Safari/537.36" | false
"Chromium v85" | "Mozilla/5.0 (X11; Linux aarch64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/85.0.4183.59 Chrome/85.0.4183.59 Safari/537.36" | true
"UC Browser 12.0.4" | "Mozilla/5.0 (Linux; U; Android 4.4.4; zh-CN; A31 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.0.4.986 Mobile Safari/537.36" | false
"UC Browser 12.13.0" | "Mozilla/5.0 (Linux; U; Android 7.1.1; en-US; SM-C9000 Build/NMF26X) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.13.0.1207 Mobile Safari/537.36" | false
"UC Browser 12.13.2" | "Mozilla/5.0 (Linux; U; Android 9; en-US; Redmi Note 7 Build/PQ3B.190801.002) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.13.2.1208 Mobile Safari/537.36" | true
"UC Browser 12.13.5" | "Mozilla/5.0 (Linux; U; Android 5.1.1; en-US; PHICOMM C630 (CLUE L) Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.13.5.1209 Mobile Safari/537.36" | true
"Playstation" | "Mozilla/5.0 (PlayStation 4 2.51) AppleWebKit/537.73 (KHTML, like Gecko)" | true
end
with_them do
let(:cookies) { "thiscookie=12345" }
it 'returns expected SameSite status' do
response = do_request
if expected
expect(response['Set-Cookie']).to include('SameSite=None')
else
expect(response['Set-Cookie']).not_to include('SameSite=None')
end
end
end
end
context 'with single cookie' do
let(:cookies) { "thiscookie=12345" }
it 'adds required headers' do
response = do_request
expect(response['Set-Cookie']).to eq("#{cookies}; Secure; SameSite=None")
end
end
context 'multiple cookies' do
let(:cookies) { "thiscookie=12345\nanother_cookie=56789" }
it 'adds required headers' do
response = do_request
expect(response['Set-Cookie']).to eq("thiscookie=12345; Secure; SameSite=None\nanother_cookie=56789; Secure; SameSite=None")
end
end
context 'multiple cookies with some missing headers' do
let(:cookies) { "thiscookie=12345; SameSite=None\nanother_cookie=56789; Secure" }
it 'adds missing headers' do
response = do_request
expect(response['Set-Cookie']).to eq("thiscookie=12345; SameSite=None; Secure\nanother_cookie=56789; Secure; SameSite=None")
end
end
context 'multiple cookies with all headers present' do
let(:cookies) { "thiscookie=12345; Secure; SameSite=None\nanother_cookie=56789; Secure; SameSite=None" }
it 'does not add new headers' do
response = do_request
expect(response['Set-Cookie']).to eq(cookies)
end
end
end
end
end